From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [PATCH 2/2] Audit: remove the limit on execve arguments when
	audit is running
Date: Wed, 03 Oct 2007 18:56:11 +0200
Message-ID: <1191430571.5599.31.camel@lappy>
References: <1191360589.9506.34.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1191360589.9506.34.camel@localhost.localdomain>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Eric Paris <eparis@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi Eric,

Thanks for ridding us of this wart!

On Tue, 2007-10-02 at 17:29 -0400, Eric Paris wrote:
> Remove the limitation on argv size.  The audit system now logs arguments 8k at a
> time so the attempt to keep the size of the execve args smaller than one netlink
> message is no longer a requirement.
> 
> Signed-off-by: Eric Paris <eparis@redhat.com>

Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>

> ---
>  kernel/auditsc.c |   10 ----------
>  kernel/sysctl.c  |   11 -----------
>  2 files changed, 0 insertions(+), 21 deletions(-)
> 
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index f9f61db..6627fce 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1876,8 +1876,6 @@ int __audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode
>  	return 0;
>  }
>  
> -int audit_argv_kb = 32;
> -
>  int audit_bprm(struct linux_binprm *bprm)
>  {
>  	struct audit_aux_data_execve *ax;
> @@ -1886,14 +1884,6 @@ int audit_bprm(struct linux_binprm *bprm)
>  	if (likely(!audit_enabled || !context || context->dummy))
>  		return 0;
>  
> -	/*
> -	 * Even though the stack code doesn't limit the arg+env size any more,
> -	 * the audit code requires that _all_ arguments be logged in a single
> -	 * netlink skb. Hence cap it :-(
> -	 */
> -	if (bprm->argv_len > (audit_argv_kb << 10))
> -		return -E2BIG;
> -
>  	ax = kmalloc(sizeof(*ax), GFP_KERNEL);
>  	if (!ax)
>  		return -ENOMEM;
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 53a456e..88e5d06 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -77,7 +77,6 @@ extern int percpu_pagelist_fraction;
>  extern int compat_log;
>  extern int maps_protect;
>  extern int sysctl_stat_interval;
> -extern int audit_argv_kb;
>  
>  /* this is needed for the proc_dointvec_minmax for [fs_]overflow UID and GID */
>  static int maxolduid = 65535;
> @@ -347,16 +346,6 @@ static ctl_table kern_table[] = {
>  		.mode		= 0644,
>  		.proc_handler	= &proc_dointvec,
>  	},
> -#ifdef CONFIG_AUDITSYSCALL
> -	{
> -		.ctl_name	= CTL_UNNUMBERED,
> -		.procname	= "audit_argv_kb",
> -		.data		= &audit_argv_kb,
> -		.maxlen		= sizeof(int),
> -		.mode		= 0644,
> -		.proc_handler	= &proc_dointvec,
> -	},
> -#endif
>  	{
>  		.ctl_name	= KERN_CORE_PATTERN,
>  		.procname	= "core_pattern",
> 
>